From 68148e031cec20e3ff57a2f7c6be65d49c1f8dfd Mon Sep 17 00:00:00 2001 From: Sebastien Blot Date: Fri, 1 Dec 2023 14:04:18 +0100 Subject: [PATCH] add evt to on_match hoks --- pkg/acquisition/modules/waap/waap_runner.go | 4 ++-- pkg/waf/waap.go | 9 +++++---- pkg/waf/waf_helpers.go | 4 +++- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/pkg/acquisition/modules/waap/waap_runner.go b/pkg/acquisition/modules/waap/waap_runner.go index abbe32c6f..935b32716 100644 --- a/pkg/acquisition/modules/waap/waap_runner.go +++ b/pkg/acquisition/modules/waap/waap_runner.go @@ -187,7 +187,7 @@ func (r *WaapRunner) handleInBandInterrupt(request *waf.ParsedRequest) { r.WaapRuntime.Response.HTTPResponseCode = r.WaapRuntime.Config.BlockedHTTPCode r.WaapRuntime.Response.Action = r.WaapRuntime.DefaultRemediation - err = r.WaapRuntime.ProcessOnMatchRules(request) + err = r.WaapRuntime.ProcessOnMatchRules(request, evt) if err != nil { r.logger.Errorf("unable to process OnMatch rules: %s", err) return @@ -223,7 +223,7 @@ func (r *WaapRunner) handleOutBandInterrupt(request *waf.ParsedRequest) { r.logger.Debugf("inband rules matched : %d", in.RuleID) r.WaapRuntime.Response.OutOfBandInterrupt = true - err = r.WaapRuntime.ProcessOnMatchRules(request) + err = r.WaapRuntime.ProcessOnMatchRules(request, evt) if err != nil { r.logger.Errorf("unable to process OnMatch rules: %s", err) return diff --git a/pkg/waf/waap.go b/pkg/waf/waap.go index db0dce691..0954830a7 100644 --- a/pkg/waf/waap.go +++ b/pkg/waf/waap.go @@ -8,6 +8,7 @@ import ( "github.com/antonmedv/expr" "github.com/antonmedv/expr/vm" "github.com/crowdsecurity/crowdsec/pkg/cwhub" + "github.com/crowdsecurity/crowdsec/pkg/types" log "github.com/sirupsen/logrus" "gopkg.in/yaml.v2" ) @@ -37,7 +38,7 @@ func (h *Hook) Build(hookStage int) error { case hookPreEval: ctx = GetPreEvalEnv(&WaapRuntimeConfig{}, &ParsedRequest{}) case hookOnMatch: - ctx = GetOnMatchEnv(&WaapRuntimeConfig{}, &ParsedRequest{}) + ctx = GetOnMatchEnv(&WaapRuntimeConfig{}, &ParsedRequest{}, types.Event{}) } opts := GetExprWAFOptions(ctx) if h.Filter != "" { @@ -285,11 +286,11 @@ func (w *WaapRuntimeConfig) ProcessOnLoadRules() error { return nil } -func (w *WaapRuntimeConfig) ProcessOnMatchRules(request *ParsedRequest) error { +func (w *WaapRuntimeConfig) ProcessOnMatchRules(request *ParsedRequest, evt types.Event) error { for _, rule := range w.CompiledOnMatch { if rule.FilterExpr != nil { - output, err := expr.Run(rule.FilterExpr, GetOnMatchEnv(w, request)) + output, err := expr.Run(rule.FilterExpr, GetOnMatchEnv(w, request, evt)) if err != nil { return fmt.Errorf("unable to run waap on_match filter %s : %w", rule.Filter, err) } @@ -305,7 +306,7 @@ func (w *WaapRuntimeConfig) ProcessOnMatchRules(request *ParsedRequest) error { } } for _, applyExpr := range rule.ApplyExpr { - _, err := expr.Run(applyExpr, GetOnMatchEnv(w, request)) + _, err := expr.Run(applyExpr, GetOnMatchEnv(w, request, evt)) if err != nil { log.Errorf("unable to apply waap on_match expr: %s", err) continue diff --git a/pkg/waf/waf_helpers.go b/pkg/waf/waf_helpers.go index c200d70b8..dda66a6b2 100644 --- a/pkg/waf/waf_helpers.go +++ b/pkg/waf/waf_helpers.go @@ -3,6 +3,7 @@ package waf import ( "github.com/antonmedv/expr" "github.com/crowdsecurity/crowdsec/pkg/exprhelpers" + "github.com/crowdsecurity/crowdsec/pkg/types" ) var exprFunctionOptions []expr.Option @@ -53,9 +54,10 @@ func GetPreEvalEnv(w *WaapRuntimeConfig, request *ParsedRequest) map[string]inte } } -func GetOnMatchEnv(w *WaapRuntimeConfig, request *ParsedRequest) map[string]interface{} { +func GetOnMatchEnv(w *WaapRuntimeConfig, request *ParsedRequest, evt types.Event) map[string]interface{} { //FIXME: use expr.Function instead of this return map[string]interface{}{ + "evt": evt, "req": request, "IsInBand": request.IsInBand, "IsOutBand": request.IsOutBand,